Roughly 30% of reported vulnerabilities have public exploits

Nov 20, 2018 00:58 GMT  ·  By

Approximately half of all vulnerabilities disclosed during 2018 come with a remote attack vector while only 13% of them require local access according to Risk Based Security's 2018 Q3 Vulnerability Quick View Report.

As reported by Risk Based Security, 16,172 vulnerabilities were published by their VulnDB team until the end of Q3 2018, with a 7% decrease when compared to the total of vulnerabilities unearthed during the time interval in 2017.

"The trends through Q3 2018, as compared to 2017, are interesting. Only three months, January (4.5%), February (24.6%), and May (7.6%) showed an increase in disclosures compared to 2017," says Risk Based Security. "The remaining months showed decreases ranging from July with a 1.7% dip, to September with a significant 40.0% drop."

Out of the total number of vulns published through October 29, around half of them can be exploited by potential attackers using remote attack vectors, while about 30% of them come with context-dependent vectors.

Around 44% of all disclosed vulns also come with enough details for an exploit to be developed

Furthermore, roughly approximately 13% of vulnerabilities require attackers first to gain local access to the targeted device, only 5,8% affect mobile devices, and a meager 1% come with wireless access requirements.

According to Risk Based Security, proof-of-concepts (PoCs) or detailed descriptions that would lead to an exploit are bundled with almost 43,7% of all vulnerability reports, and more than 12% of them had working exploits available on the Internet not developed by the researchers who found them.

It's also important to note that the vast majority of all vulnerabilities reported until the end of Q3 2018 were caused by "insufficient or improper input validation," a clear sign that software developers still have to work on designing proper Software Development Lifecycle (SDL) and auditing measures to decrease the security threat inclusion risk in the final product.

"A large number of the vulnerabilities reported in 2018 have either updated versions or patches available. However, 24.9% of the reported vulnerabilities currently have no known solution," also reports Risk Based Security. "This underlines that while patching is very important, it cannot be relied on exclusively as a remedy."

Photo Gallery (4 Images)

Vulnerabilities
Exploit locationVulnerabilities by solution type
+1more